Programmers, Hackers, and Web Application Security

Some people are quite fearful of programmers and web developers. When a company has to let go of a developer there is usually a lot of fear that the disgruntled employee will hack their network or web site. There will usually be a frantic rush to change passwords and tighten security. Quite frankly, this is a misguided precaution because most programmers and web developers don’t know much about hacking. The truth is hacking is hard work and a specialized skill. Most programmers don’t have the time to learn how to hack sites or networks. A serious developer will only be interested in learning skills that have some value in the workplace. He will not want to spend a lot of time and hard work doing something that could only get him in trouble.

However there are some forms of hacking that a web developer should be familiar with in order to create secure web applications. A web developer needs to understand SQL injection attacks and cross-site scripting attacks. These two types of vulnerabilities are specifically due to poor web application design and can only be corrected by sophisticated coding. I’ve bought a book entitled Hacking the Code: ASP.NET Web Application Security by Mark M. Burnett and James C. Foster which I plan to read soon.

Another security issue that web developers usually need to deal with is the web server configuration. Disabling a web site’s directory browsing and managing anonymous access and authentication are common tasks. Unfortunately, most web developers are more interested in opening up permissions in order to get their web applications working than they are in tightening permissions.

It is not enough to just learn how to prevent SQL injection and cross-site scripting attacks. A lot of books and technical articles limit themselves to describing best practices and never tell you how to execute these attacks or provide working exploits. Although this is an understandable precaution, you can never be sure that your counter measures will work unless you can test it. A very minor coding error can leave you vulnerable and the only way to ensure your security is to try the exploit against your web application as a test. You can never assume that you are secure without testing it and this requires actual knowledge of how to make an attack.

And by the way, it is usually a bad idea to let go of your web developer. Not because of security concerns but because your web developer will have built up considerable expertise in working with your web applications and you should not throw that away.

This entry was posted in General. Bookmark the permalink.

Leave a Reply

Your email address will not be published.